As we set out to enhance personalization on Marriott.com, we realized we needed guidelines to inform our thinking and shape our decisions, particularly decisions related to customer privacy. Our earlier user research revealed the need for greater personalization and helped us understand customer attitudes towards privacy. From there, we sought to build customer trust and loyalty by addressing concerns about privacy and security in every aspect of the user experience. In creating the Guiding Principles outlined here, we conducted a thorough analysis of eight major websites and then merged the findings with what we already knew. These principles apply specifically to "remember me" personalization.
In its simplest form, “remember me” personalization is the capability of some websites to “remember,” or pre-fill, your username when you return to the site so you don’t have to enter it every time. Usually there is a checkbox where you sign in that says something like “Remember me” or “Save my password.” Some sites, such as Amazon, provide “remember me” personalization automatically. In fact, Amazon serves as an example of incredibly sophisticated and robust “remember me” personalization because the site seems to remember everything about you, such as what you bought, what you viewed, and what you left in your shopping cart.
How do sites “remember”? Cookies.
A cookie is a small text file sent by a website to be stored on a computer so the site can identify a user when she returns. Cookies can be used for personalization, processing transactions, and tracking a user’s activity on a website. Many sites use them to target advertisements for users who may be interested in specific products and to vary the advertisements shown to one user so she will not see the same one repeatedly.
Checking the “remember me” option on a website might expose personal information if the computer you’re using is “public.” If someone else uses the same computer and browser to visit a site you opted to have “remember” you, that person may gain access to your personal information. People also avoid cookies because they dislike knowing a website is always “watching” them, keeping track of everything they do.
Why we wanted to enhance personalization on Marriott.com.
We took a three-pronged approach: examining our past user research, our customers, and our competition.
Previous studies gave us insight into the way customers view their account information: specifically, what personal information they consider private, semi-private, or non-private. We met with our in-house privacy expert and with a leading technology and market research company to understand what business issues might arise as a result of “remember me” personalization. They were unaware of companies facing legal problems resulting from privacy issues related to personalization; however, both experts acknowledged that some businesses have encountered challenges from a public relations perspective.
Finally, we studied how direct competitors, secondary competitors, and major sites outside our industry are using “remember me” personalization by performing a detailed competitive analysis. We discovered that choosing to be “remembered” means different things on different sites. At one end of the spectrum, it’s like an automatic sign in, enabling full access to account/personal information. The other end involves little more than a username pre-fill, allowing for quicker sign in.
What we learned—it’s a jungle out there.
We discovered that there are virtually no established standards or guidelines for “remember me” personalization. Several organizations, including the World Wide Web Consortium (W3C), the International Organization for Standardization (ISO), the Personalization Consortium, and the Center for Democracy and Technology (CDT) have led initiatives aimed at protecting consumers’ privacy and at requiring websites to ensure that personal information is kept secure. Most notably, the W3C’s Platform for Privacy Preferences Project (P3P) offers users more control over how their personal information is used by:
- Defining standards for simplifying the structure, content, and language of website privacy policies to help users understand what personal information a site collects and how it will be used.
- Allowing users to select privacy preferences within a P3P-enabled browser and notifying them when they are visiting a P3P-enabled website if the site’s privacy practices conflict with their preferences.
What was the outcome of our research? We developed the Guiding Principles: general guidelines for creating “remember me” personalization that’s effective both from the customer and business perspective. Some of the principles were gleaned from what appear to be emerging best practices; others resulted from bad experiences, i.e., how not to implement “remember me” functionality.
These Guiding Principles should help your team stay focused on what really matters. They may evolve over time, but for now, they provide a framework for consistency.
The Guiding Principles
1. Communicate openly and clearly about security and privacy.
Address customers’ concerns, and do it in context—for example, when they are signing in or being asked for information.
Customers want to know:
- Why the site wants or requires personal information.
- What personal information is collected.
- What cookies are set and what these cookies are called.
- What is in each cookie.
- How personal information will be used by the site and third parties, and who these third parties are.
- How users can access their personal information.
- Options for controlling how personal information is used.
- How personal information will be protected.
2. Explain the value of personalization to customers.
Customers should always get something from personalization, and the benefits should be proportional to the amount of personal information they provide. Make it clear what they will get in exchange for their personal information.
3. Build customer trust.
There are many ways to do this:
- Protect the customer’s information: display information that is personal but not unique to a customer. For example, membership level within a hotel or airline loyalty program is shared by many customers; whereas Social Security number and member number are unique to one particular customer.
- Warn customers about using “remember me” functionality on public computers.
- Be consistent when presenting and asking for customers’ information.
- Make it easy for customers to provide feedback.
- Respond to customer concerns/feedback.
- Scale personalization gracefully: the more loyal the customer, the more she already trusts the site, and likely, the more often she uses (and wants) personalization.
4. Give customers flexibility and control.
Allow them to opt out of being remembered at any time. Make it clear how to do that and make it simple:
- Provide well-marked paths and landmarks.
- Offer reliable visual cues for context.
- Keep them informed so they do not enter into an experience unwittingly.
- Make actions reversible so they do not make irrecoverable changes.
- Always allow a way out, but make it easier to stay in.
5. Make customer participation in personalization seamless, but obvious.
Give customers options for personalizing content and gather information iteratively at appropriate times, offering feedback and “gentle reminders” prompting them to update personal information. Make it easy for them to provide information, but make sure that will be a conscious decision by the customer.
6. Provide personalization whenever possible, as long as it is relevant.
Use personalization to enhance the customer’s relationship with the site, and keep it in the context of what the customer is doing while on the site. Ensure that “remember me” personalization supports the mission and purpose of the website.
7. Test “remember me” functionality to ensure it works and is usable.
Make sure the functionality works the way it’s supposed to.
- Provide clear visual and verbal cues that reveal the customer’s status: remembered, signed in, or not recognized.
- Make sure visual and verbal cues match the site’s performance, i.e., no “sign out” link for “cookied” customers because they are not signed in.
- Differentiate the “remember me” feature from sign in.
8. Make sure that “remember me” personalization provides good ROI before implementing.
Check with customers to ensure that personalization you provide has value, and to determine ways to improve it. Review site statistics related to use of personalization, such as the number of users who check “remember me.” When planning enhancements to personalization, set metrics and then track results.
9. Before providing personalization, consult with the legal department.
Know the company’s policies regarding personal information and be aware of any past situations involving the company or the company’s industry that may have caused legal problems. Watch for emerging guidelines and best practices related to personalization.
The author would like to thank Beth Toland for coming up with the idea of creating Guiding Principles, as well as for her insight, inspiration, support, and careful scrutiny of this article. Thanks also go to Rich Shaub, Michael Rabjohns, Jill MacNeice, Mariana Cavalcanti, and Barney Kirby for their support and highly valued input.